On October 10, 2019, California Attorney General Xavier Becerra issued proposed regulations implementing and interpreting the California Consumer Privacy Act (CCPA). The draft regulations address privacy policies, consumer notices, practices for handling consumer requests, ways to verify consumer requests, requirements regarding minors, and rules governing nondiscrimination practices. The regulations are currently in draft form, with
Wendell Bartnick
Last minute amendments likely finalize CCPA language for January 1 deadline.
Late last week, the California legislature approved five bills intended to clarify the scope and required compliance obligations of the California Consumer Privacy Act (CCPA or the Act). Organizations now have just over three months to determine whether they need to comply with the newly amended CCPA, assess what their obligations are, and implement the policies, procedures, and operational changes necessary to comply with the law.
Five amendments passed: AB 25, AB 874, AB 1146, AB 1355, and AB 1564. Significant impacts of the amendments that were enacted include:
- The amendments clarify that, at least for 2020, this consumer privacy law will apply to personal information of employees, job applicants, and contractors and personal information collected through certain business-to-business interactions but only in certain respects.
- The amendments add flexibility to the processes that businesses may use for receiving and verifying consumer access and deletion requests.
- The amendments exclude from CCPA applicability certain processing of consumer report data is already governed by the federal Fair Credit Reporting Act.
- The amendments clarify how encryption and redaction may play into the private right of action for data breaches.
- The amendments confirm that properly deidentified or aggregate data is not personal information under the Act.
Continue Reading Last minute amendments likely finalize CCPA language for January 1 deadline.
Texas makes its data breach notification law more current
Texas will see changes to its breach notification law, but comprehensive privacy legislation at the state level will not occur until 2021 at the earliest. This year, two privacy bills were introduced in the Texas legislature. House Bill 4518 (modeled on the California Consumer Privacy Act) did not pass in any form. The other bill,…
FERC requests comments on proposed new CIP Reliability Standard regulating the transmission of data between control centers
On April 18, 2019, the Federal Energy Regulatory Commission (FERC) issued a Notice of Proposed Rulemaking (NOPR) requesting comments on proposed Critical Infrastructure Protection (CIP) Reliability Standard CIP-012-1. As written, CIP-012-1 will require responsible entities to implement controls to protect communication links and data transmissions in an effort to mitigate cybersecurity risks to communications between…
OCR releases new FAQs on use of health apps
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) released a new set of Health Insurance Portability and Accountability Act (HIPAA) FAQs building upon prior guidance from OCR. The new FAQs discuss the applicability of HIPAA to covered entities and business associates that interact with health apps and explain when…
Illinois Biometric Information Privacy Act violation does not require an allegation of actual harm
Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (BIPA) stands out among state biometrics statutes nationwide in that it includes a private right of action for anyone “aggrieved” by a private entity’s failure to comply with BIPA’s compliance requirements. The Illinois Supreme Court recently ruled that a plaintiff may assert that they are…
NERC enforcement action provides guidance to electric industry for compliance with the Critical Infrastructure Protection Reliability Standards
On January 25, 2019, a settlement agreement was reached between a utility company, which allegedly violated the Critical Infrastructure Protection (CIP) Reliability Standards, and the North American Reliability Corporation (NERC). Through this settlement, NERC provides guidance to the electric industry for compliance with the CIP Reliability Standards. The substantial penalties should prompt companies to educate…
President prioritizes research, development, and deployment of artificial intelligence technology
The President has made artificial intelligence technology a policy priority. On February 11, 2019, the President issued an Executive Order to direct most federal executive agencies to promote and protect American advancements in artificial intelligence while working with private industry. The order recognized that public trust in artificial intelligence is an important factor in the development and use of the technologies, and highlights the need to “protect civil liberties, privacy, and American values in their application in order to fully realize the potential of AI technologies for the American people.”>
Specifically, the President ordered the agencies to consider artificial intelligence as a research and development priority and
- Invest in artificial intelligence (for example, machine learning) research and development.
- Enhance access to data, models, algorithms, and computing resources to promote artificial intelligence research and development (consistent with obligations to maintain safety, security, privacy, and confidentiality).
- Reduce barriers to the use of artificial intelligence (for example, machine learning) technologies.
- Help develop technical standards that minimize vulnerability to attacks and “reflect Federal priorities for innovation, public trust, and public confidence in systems that use AI technologies.”
- Train a workforce that can develop and take advantage of developments in artificial intelligence.
- Develop an action plan to “to protect the advantage of the United States in AI and technology critical to United States economic and national security interests against strategic competitors and foreign adversaries.”
Notable challenges from the updated Massachusetts data breach notification law
The update to the existing Massachusetts data breach notification statute (set to go into effect on April 11, 2019) introduces novel requirements for notices to both affected individuals and regulators and requires credit monitoring services to be offered in some instances for at least 18 months. The legislation updates the statute in a number of particulars, but we focus here on the most notable new requirements.
Notable updates
Notices to affected individuals. The updated statute may require an organization to provide affected individuals with multiple (that is, repeat) notifications if after the initial notice the organization discovers information that updates or corrects the information required to be in such notifications. Other breach notification laws, like the EU’s General Data Protection Regulation and Canada’s breach notification law, may impose an ongoing obligation on organizations to notify regulators with updated information about breaches, but the Massachusetts statute may apply that same obligation to individual notices. The statute also sets forth additional content categories that the notices must contain.Continue Reading Notable challenges from the updated Massachusetts data breach notification law
Electric industry should focus efforts in 2019 to meet additional cybersecurity and supply chain requirements
In late 2018, the Federal Energy Regulatory Commission (FERC) published a final rule updating and adding to the Critical Infrastructure Protection (CIP) Reliability Standards, which are intended to help protect the bulk electric system (BES) in North America against cybersecurity risks. The final rule:
- Creates a new Supply Chain Risk Management Reliability Standard (CIP-013-1)
- Updates
…